HomePHP Page 9 - Building an E-Commerce Site Part 2: Managing Users with Sessions
Step 6: A Note on Security - PHP
This is the second article in a three-part series dealing with using PHP 4 and MySQL to make a comprehensive e-commerce storefront solution. This article covers session management within the store, user privileges, and a few security concerns.
So you may be thinking, "how secure is all this"? That's a good question. There are many places where security can be compromised here, you have to ask yourself:
How much do you trust PHP4's session management functions to be immune to people trying to hijack other sessions -- after all there is just one PHPSESSID variable that separates you from everyone else using the system (oooh, scarey thought). How unique is that PHPSESSID anyway?
Assuming PHP4's session management functions are bulletproof, how much do you trust the my login routines, and my privilege / access checking routines?
How safe is your database? Can someone connect remotely and diddle with your tables and read or alter data without you knowing? (NOTE: Never ever ever ever ever ever ever ever store credit card information in your database. You don't need it there, you don't want the liability!)
How safe are your scripts? Can someone change them without you knowing? How safe is your ISP? When was the last time you verified all the permissions on your files so that no one else can read/edit them?
Anyhow, my point is that what we are developing here should NOT be used in a production environment without you understanding all the risks involved. I've just presented a few to get your mind thinking about security risks.